Files
hermes-skills/skills/devops/infrastructure-automation/references/credential-audit-pattern.md
T

2.3 KiB

Credential Audit Pattern

Systematic verification of all credentials across a server's config files.

Step 1 — Discover credential locations

# Find .env files
find /root/docker -name ".env" -o -name ".env.example"

# Find password/cred files
find /root/.config -type f \( -name "*.pass" -o -name "*.token" -o -name "*.cred" \)

# Find embedded keys in config.yaml
grep -rn "api_key\|password\|secret\|token" /root/.hermes/config.yaml | grep -v "^#"

Step 2 — Categorize by type

Type Test Method
Cloudflare API key GET /client/v4/user/tokens/verify → 200
Firecrawl API key POST /api/v1/search → 200
LLM provider key curl to /v1/models → 200
IMAP password imaplib.IMAP4_SSL.login() → OK
SMTP password smtplib.SMTP.login() → OK
Database password SELECT 1 via native client
Docker service password psql -U user -c "SELECT 1" via docker exec
CalDAV password PROPFIND to caldav host → 207

Step 3 — Test each credential

Each test should return a clear SUCCESS/FAILURE indicator. Batch independent tests into a single terminal call.

Step 4 — Report results

Credential Location Status
FIRECRAWL_API_KEY ~/.hermes/.env HTTP 200
admin-ai api_key config.yaml HTTP 200
g@germainebrown.com (IMAP) himalaya/*.pass LOGIN OK

Pitfalls

  • Secrets redacted by the agent's redactorread_file and grep show secrets as sk-lbh...bWPA. Use od -c or sed -n '8p' /root/.hermes/config.yaml | xxd to recover actual values.
  • iCloud app-specific passwords expire — Apple requires new app-specific passwords periodically. Generate at appleid.apple.com → App-Specific Passwords.
  • CalDAV passwords are NOT the same as IMAP passwords — iCloud requires separate passwords for each service, and the CalDAV password file is different from the IMAP password file.
  • Service environment vars may not be in .env — Some services pass secrets via docker-compose environment: blocks or systemd Environment= lines. Check both docker-compose.yml and service unit files.
  • "Bearer *** bug" — Shell scripts that hardcode *** instead of $VARIABLE_NAME in curl Authorization headers. Always verify the variable is used, not literal asterisks.